AWS Bedrock Guardrails

AWS Bedrock Guardrails provides a comprehensive solution for securing your LLM applications, including content filtering, PII detection and redaction, and more.

To get started with AWS Bedrock Guardrails, visit their documentation:

​

Using AWS Bedrock Guardrails with Portkey

​

1. Create a guardrail on AWS Bedrock

• Navigate to AWS Bedrock -> Guardrails -> Create guardrail
• Configure the guardrail according to your requirements
• For PII redaction, we recommend setting the Guardrail behavior as BLOCK for the required entity types. This is necessary because Bedrock does not apply PII checks on input (request message) if the behavior is set to MASK
• Once the guardrail is created, note the ID and version displayed on the console - you’ll need these to enable the guardrail in Portkey

​

2. Enable Bedrock Plugin on Portkey

• Navigate to the Integration page under Sidebar
• Click on the edit button for the Bedrock integration
• Add your Bedrock Region, AwsAuthType, Role ARN & External IDcredentials (refer to Bedrock’s documentation for how to obtain these credentials)

​

3. Create a Guardrail on Portkey

• Navigate to the Guardrails page and click the Create button
• Search for Apply bedrock guardrail and click Add
• Enter the Guardrials ID and version of the guardrail you created in step 1
• Enable or disable the Redact PII toggle as needed
• Set any actions you want on your guardrail check, and click Create

​

4. Add Guardrail ID to a Config and Make Your Request

• When you save a Guardrail, you’ll get an associated Guardrail ID - add this ID to the before_request_hooks or after_request_hooks params in your Portkey Config
• Create these Configs in Portkey UI, save them, and get an associated Config ID to attach to your requests. More here.

Here’s an example configuration:

{
  "before_request_hooks": [
      {"id": "guardrails-id-xxx"}
    ],
  "after_request_hooks": [
      {"id": "guardrails-id-xxx"}
  ]
}

const portkey = new Portkey({
    apiKey: "PORTKEY_API_KEY",
    config: "pc-***" // Supports a string config id or a config object
});

For more, refer to the Config documentation.

​

Using AWS Bedrock Guardrails - Scenarios

After setting up your guardrails, there are different ways to use them depending on your security requirements:

​

Only Detect PII, Harmful Content, etc.

To simply detect but not redact content:

• Keep the Redact PII flag disabled when creating the guardrail on Portkey
• If any filters are triggered, the response status code will be 246 (instead of 200)
• The response will include a hook_results object with details for all checks

​

Redact PII and Detect Other Filters

To automatically redact PII while still checking for other issues:

• Enable the Redact PII flag when creating the guardrail on Portkey
• If PII is detected, it will be automatically redacted and the status code will be 200
• If other issues (like harmful content) are detected, the response code will be 246
• The response will include a hook_results object with all check details
• If PII was redacted, the results will have a flag named transformed set to true

​

Deny Requests with Policy Violations

To completely block requests that violate your policies:

• Enable the Deny option in the guardrails action tab
• If any filters are detected, the request will fail with response status code 446
• However, if only PII is detected and redaction is enabled, the request will still be processed (since the issue was automatically resolved)

​

Using Raw Guardrails with AWS Bedrock

You can define AWS Bedrock guardrails directly in your code for more programmatic control without using the Portkey UI. This “raw guardrails” approach lets you dynamically configure guardrails based on your application’s needs.

{
  "before_request_hooks": [
    {
      "type": "guardrail",
      "id": "bedrock-guardrail",
      "credentials": {
        // You can choose EITHER set of credentials for bedrock
        "awsAccessKeyId": "string",
        "awsSecretAccessKey": "string",
        "awsSessionToken": "string", //(optional)
        "awsRegion": "string",
        // OR
        "awsAuthType": "assumedRole",
        "awsRoleArn": "string",
        "awsExternalId": "string",
        "awsRegion": "string",
      },
      "checks": [
        {
          "id": "bedrock.guard",
          "parameters": {
            "guardrailId": "YOUR_GUARDRAIL_ID",
            "guardrailVersion": "GUARDRAIL_VERSION",
            "redact": true, // or false
            "timeout": 5000 // timeout in ms
          }
        }
      ],
      "deny": true,
      "async": false,
      "on_success": {
        "feedback": {
          "weight": 1,
          "value": 1,
          "metadata": {
            "user": "user_xyz"
          }
        }
      },
      "on_fail": {
        "feedback": {
          "weight": 1,
          "value": -1,
          "metadata": {
            "user": "user_xyz"
          }
        }
      }
    }
  ]
}

​

Get Support

If you face any issues with the AWS Bedrock Guardrails integration, just ping us on the community forum.